[Top] [All Lists]

Re: WG Charter

1997-01-23 16:01:43
From:          Jeff Thompson <jefft(_at_)shore(_dot_)net>
To:            Arup Biswas <ABISWAS(_at_)novell(_dot_)com>, ietf-smime 
               smime-dev <smime-dev(_at_)RSA(_dot_)COM>
Subject:       Re: WG Charter
Date:          Thu, 3 Jan 1980 10:47:11 -0500

From: Arup Biswas <ABISWAS(_at_)novell(_dot_)com>

One small detail for the WG to resolve, we need to establish a protocol
about the certificates field  in the Signed Data message. Do we keep a
single certificate or the chain? Trusted Root Certificate first or last?
Similarly for the CRLs. 

I think you should push as many certificates when sending a message
that you think will help the recipient validate your public key.

Agreed in principle, but you will normally know the order in which to 
push them, it is not just any old random set of certificates, is it?

As for the certificates field, it is a SET OF, not a SEQUENCE OF.  

This is odd. The X.509 spec uses SEQUENCE for its forward and reverse 
certification paths, so why are we using SET ? This places 
unnecessary burden on the receiver to sort out the jumble.

If we are going to go for a SEQUENCE (or SET OF SEQUENCES which 
solves the multiple key problem), two alternative schemes are 
possible. Start with the trusted root (or roots), and if the receiver 
does not know any of them, he can pack up there and then. 
Alternatively, start with the senders certificate, and work down the 
chain from there till you come to a certificate you trust (which 
might be before a trusted root, so it can be more efficient)
But if it is a bag of certificates, as proposed, then the receiver 
has to sort them before he can start.

David W Chadwick
IT Institute, University of Salford, Salford M5 4WT
Tel +44 161 745 5351  Fax +44 161 745 8169
Email D(_dot_)W(_dot_)Chadwick(_at_)iti(_dot_)salford(_dot_)ac(_dot_)uk
Home Page
Understanding X.500

<Prev in Thread] Current Thread [Next in Thread>